We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

The German perspective: EU and U.S. data protection “umbrella agreement”

After over four years of negotiations, the European Union and the United States have agreed on a framework data protection agreement on 8 September 2015 (Umbrella Agreement). The Umbrella Agreement covers all personal data exchanged between the European Union and the United States for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. According to the Q&A’s posted on the EU Commission’s website, the Umbrella Agreement shall “provide safeguards and guarantees of lawfulness for data transfers.”

During the negotiations, the Umbrella Agreement was widely criticized throughout the EU because EU citizens could not file lawsuits in the United States to enforce their data protection rights. The U.S. Privacy Act allows only U.S. residents to obtain redress for data privacy and protection violations. As part of the Umbrella Agreement, the U.S. Congress introduced an amendment to the U.S. Privacy Act known as the “Judicial Redress Bill.” If adopted, the Judicial Redress Bill will permit an EU citizen to use U.S. courts to (for example) have his or her name deleted from U.S. blacklists if the name was mistakenly included.

In Germany, first reactions by political commentators on the agreement are moderately optimistic and an important step to rebuild trust after the National Security Agency (NSA) spying revelations. More importantly, the Umbrella Agreement includes many of the same general data privacy and protection principles followed in Germany and other EU countries, including:

Limitations on data use – Personal data may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences.

Onward transfer – Any onward transfer to a non-U.S., non-EU country or international organisation requires the prior consent of the competent data protection authority of the country from which the personal data was originally transferred.

Retention periods – Personal data may not be retained for longer than necessary or appropriate. The decision on what is an acceptable duration must take into account the impact on people’s rights and interests. Retention periods must be published or otherwise made publicly available.

Right to access and rectification – Any individual will be entitled to access their personal data – subject to certain conditions, given the law enforcement context – and to request corrections.

While the increased data protection and proposed Judicial Redress Bill are positive developments, some commentators in Germany criticize the Umbrella Agreement’s lack of a clear and easy process for data protection enforcement in the United States for EU citizens. The critics claim that most individuals will not even know when and if their data protection rights are violated.

The U.S. Congress and the EU Parliament and Council still must ratify the Umbrella Agreement, the full text of which is not yet available, but we expect that the Umbrella Agreement will unite the European Union and the United States on an increased level of data protection. We will report on the Umbrella Agreement again once its full text is made public.